You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by md...@apache.org on 2013/04/11 17:28:23 UTC
svn commit: r1466922 - in
/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak:
AbstractSecurityTest.java
security/authorization/ShadowInvisibleContentTest.java
spi/security/authorization/AbstractAccessControlTest.java
Author: mduerig
Date: Thu Apr 11 15:28:23 2013
New Revision: 1466922
URL: http://svn.apache.org/r1466922
Log:
OAK-709: Consider moving permission evaluation to the node state level
test: shadow invisible node should result on access violation on commit
Added:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ShadowInvisibleContentTest.java (with props)
Modified:
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java
jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java?rev=1466922&r1=1466921&r2=1466922&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/AbstractSecurityTest.java Thu Apr 11 15:28:23 2013
@@ -20,9 +20,11 @@ import javax.annotation.Nullable;
import javax.jcr.Credentials;
import javax.jcr.NoSuchWorkspaceException;
import javax.jcr.SimpleCredentials;
+import javax.jcr.security.AccessControlManager;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginException;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.api.ContentRepository;
import org.apache.jackrabbit.oak.api.ContentSession;
@@ -36,6 +38,7 @@ import org.apache.jackrabbit.oak.securit
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.ConfigurationUtil;
+import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.util.UserUtility;
import org.junit.After;
@@ -108,4 +111,14 @@ public abstract class AbstractSecurityTe
}
return userManager;
}
+
+ protected JackrabbitAccessControlManager getAccessControlManager(Root root) {
+ PermissionProvider pp = null; // TODO
+ AccessControlManager acMgr = securityProvider.getAccessControlConfiguration().getAccessControlManager(root, NamePathMapper.DEFAULT, pp);
+ if (acMgr instanceof JackrabbitAccessControlManager) {
+ return (JackrabbitAccessControlManager) acMgr;
+ } else {
+ throw new UnsupportedOperationException("Expected JackrabbitAccessControlManager found " + acMgr.getClass());
+ }
+ }
}
Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ShadowInvisibleContentTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ShadowInvisibleContentTest.java?rev=1466922&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ShadowInvisibleContentTest.java (added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ShadowInvisibleContentTest.java Thu Apr 11 15:28:23 2013
@@ -0,0 +1,100 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.jackrabbit.oak.security.authorization;
+
+import static org.apache.jackrabbit.JcrConstants.NT_UNSTRUCTURED;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.security.Principal;
+
+import javax.jcr.NoSuchWorkspaceException;
+import javax.jcr.RepositoryException;
+import javax.jcr.SimpleCredentials;
+import javax.jcr.security.AccessControlManager;
+import javax.security.auth.login.LoginException;
+
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
+import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.CommitFailedException;
+import org.apache.jackrabbit.oak.api.ContentSession;
+import org.apache.jackrabbit.oak.api.Root;
+import org.apache.jackrabbit.oak.api.Tree;
+import org.apache.jackrabbit.oak.security.privilege.PrivilegeConstants;
+import org.apache.jackrabbit.oak.util.NodeUtil;
+import org.junit.Before;
+import org.junit.Test;
+
+public class ShadowInvisibleContentTest extends AbstractSecurityTest {
+ private static final String USER_ID = "test";
+
+ private Principal userPrincipal;
+
+ @Before
+ @Override
+ public void before() throws Exception {
+ super.before();
+
+ User user = getUserManager().createUser(USER_ID, USER_ID);
+ userPrincipal = user.getPrincipal();
+
+ NodeUtil a = new NodeUtil(root.getTree("/")).addChild("a", NT_UNSTRUCTURED);
+ a.setString("x", "xValue");
+ NodeUtil b = a.addChild("b", NT_UNSTRUCTURED);
+ b.setString("y", "yValue");
+ NodeUtil c = b.addChild("c", NT_UNSTRUCTURED);
+ c.setString("propName3", "strValue");
+ }
+
+ private void setupPermission(Principal principal, String path, boolean isAllow, String privilegeName)
+ throws CommitFailedException, RepositoryException {
+
+ AccessControlManager acMgr = getAccessControlManager(root);
+ JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, path);
+ acl.addEntry(principal,AccessControlUtils.privilegesFromNames(acMgr, privilegeName) , isAllow);
+ acMgr.setPolicy(path, acl);
+ root.commit();
+ }
+
+ private Root getLatestRoot() throws LoginException, NoSuchWorkspaceException {
+ ContentSession contentSession = login(new SimpleCredentials(USER_ID, USER_ID.toCharArray()));
+ return contentSession.getLatestRoot();
+ }
+
+ @Test
+ public void testShadowInvisibleNode() throws CommitFailedException, RepositoryException, LoginException {
+ setupPermission(userPrincipal, "/a", true, PrivilegeConstants.JCR_ALL);
+ setupPermission(userPrincipal, "/a/b", false, PrivilegeConstants.JCR_ALL);
+ setupPermission(userPrincipal, "/a/b/c", true, PrivilegeConstants.JCR_ALL);
+
+ Root root = getLatestRoot();
+ Tree a = root.getTree("/a");
+ Tree b = a.addChild("b");
+ assertFalse(b.hasChild("c"));
+
+ try {
+ root.commit();
+ } catch (CommitFailedException e) {
+ assertTrue(e.isAccessViolation());
+ }
+ }
+
+}
Propchange: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ShadowInvisibleContentTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ShadowInvisibleContentTest.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision Rev URL
Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java?rev=1466922&r1=1466921&r2=1466922&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java (original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authorization/AbstractAccessControlTest.java Thu Apr 11 15:28:23 2013
@@ -17,10 +17,8 @@
package org.apache.jackrabbit.oak.spi.security.authorization;
import javax.jcr.NamespaceRegistry;
-import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
-import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
@@ -28,7 +26,6 @@ import org.apache.jackrabbit.oak.api.Roo
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.name.ReadWriteNamespaceRegistry;
-import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
/**
@@ -66,16 +63,6 @@ public abstract class AbstractAccessCont
return privs;
}
- protected JackrabbitAccessControlManager getAccessControlManager(Root root) {
- PermissionProvider pp = null; // TODO
- AccessControlManager acMgr = securityProvider.getAccessControlConfiguration().getAccessControlManager(root, NamePathMapper.DEFAULT, pp);
- if (acMgr instanceof JackrabbitAccessControlManager) {
- return (JackrabbitAccessControlManager) acMgr;
- } else {
- throw new UnsupportedOperationException("Expected JackrabbitAccessControlManager found " + acMgr.getClass());
- }
- }
-
protected RestrictionProvider getRestrictionProvider() {
if (restrictionProvider == null) {
restrictionProvider = getSecurityProvider().getAccessControlConfiguration().getRestrictionProvider(getNamePathMapper());
@@ -93,4 +80,4 @@ public abstract class AbstractAccessCont
}
return privMgr;
}
-}
\ No newline at end of file
+}